/ best free open source web resources /

Cross Domain Ajax using CSSHttpRequest

CSSHttpRequest is cross-domain Ajax using CSS. Like JavaScript includes, this works because CSS is not subject to the same-origin policy that affects XMLHttpRequest. CSSHttpRequest functions similarly to JSONP, and is limited to making GET requests. Unlike JSONP, untrusted third-party JavaScript cannot execute in the context of the calling page.

Data is encoded on the server into URI-encoded 2KB chunks and serialized into CSS rules with a modified data: URI scheme. The selector should be in the form #c<N>, where N is an integer index in [0,]. The response is decoded and returned to the callback function as a string:

I almost jizzed my pants when I saw this but then saw that it is only limited to .get()

if only POST is supported.

Gregory Magarshak

It’s interesting. I’m sure the idea was to make the code “safe”, i.e. it won’t run any javascript on your page. But it could still mess up your css.

I would suggest if you do use this technique, LOAD IT FROM ANOTHER FRAME. That way it can’t mess up the CSS.

Otherwise it seems to me to be a cool cross-domain technique. It solves the “trust the provider” problem. However it still does not solve the “authenticated user” problem. A superior solution (at least until browsers tighten security) is the cross-domain communication iframe technique.